[krbdev.mit.edu #8972] krb5_init_creds_step() can make synchronous TGS requests for FAST armor TGTs
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Dec 17 00:27:37 EST 2020
Thu Dec 17 00:27:37 2020: Request 8972 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: krb5_init_creds_step() can make synchronous TGS requests for FAST
armor TGTs
Owner: Nobody
Requestors: ghudson at mit.edu
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8972 >
get_in_tkt.c calls krb5int_fast_as_armor(), which calls fast_armor_ap_request()
if the DO_FAST flag is set. To get the armor TGT, fast_armor_ap_request() calls
krb5_get_credentials() with no special flags. Under ordinary circumstances,
this just fetches the client-realm TGT from the cache. However, after a realm
referral, krb5_get_credentials() may be asked to retrieve a TGT for another
realm, in which case it will make TGS requests.
This behavior is intentional, but it does not honor the stepwise contract of
krb5_init_creds_step() (which was implemented later than the FAST code).
Instead of using the sequential API, we should create a TGS state machine to be
referenced from the AS step machine, and step through it until it is complete.
More information about the krb5-bugs
mailing list